V-370-59792-00041 - How to configure Backup Exec with Firewalls

V-370-59792-00041 - How to configure Backup Exec with Firewalls

Article: 100017208
Last Published: 2020-07-10
Ratings: 5 3
Product(s): Backup Exec

Problem

This article discusses how to configure Backup Exec with firewalls.

UMI: V-370-59792-00041

UMI Code: V-79-57344-3842
Error Code: 0xe0000f02 - The media server could not connect to the remote computer.

UMI Code: V-79-57344-3877 : A communication failure occurred when attempting to connect to this server. Some common causes for this error are:  the computer name is typed incorrectly, the computer is not powered on, a Backup Exec agent is not installed,  or the network is improperly configured.
Error Code : 0xE0000F25

Solution

Note: To check if this document describes the computer in question, download and run a health check with Veritas QuickAssist.

 

In a Firewall Environment, ensure ports settings are configured correctly or else Backup Exec may get interrupted by the following actions:

1. Browsing to remote machines through a firewall via the Backup Selections List
2. Backing up and restoring machines through a firewall


Browsing systems through a firewall:

Because most firewalls do not allow a remote system to be displayed in the Microsoft Network Neighborhood, additional steps need to be performed to select these remote systems in the Backup Exec Administration Console.

Use "User-Defined-Selection"  to view systems behind a firewall.

1. On the navigation bar, click on the Backup Button in the Backup Exec Interface.
2. Right-click on User-Defined Selection Folder.
3. In the "Define a selection" field, after the \\, type the name or IP Address of the remote system, click Add, then Close.  

Backing-up systems through a firewall/TCP Filtered environment:

Because Firewalls affect system communication between a media server and remote systems outside the firewall environment, special port requirements must be considered when configuring Backup Exec for use with firewalls.  If you are using Symantec endpoint protection as a firewall, you can also free any 25 random ports from the console.

Ports that need to be opened on the FIREWALL:
 

For Backup Exec 20:

Service

Process

Port

Port Type

Backup Exec Agent Browser

benetns.exe

6101

TCP

Device and Media Service

pvlsvr.exe

None

None

Backup Exec Server

beserver.exe

3527, 6106

TCP

Backup Exec Job Engine

bengine.exe

5633 by default

Can be customized

TCP

Agent for Windows

Agent for Linux

Agent for Oracle on Windows or Linux

beremote

10000

Dynamic range between 1024 to 65535 by default

Can be customized

TCP

Alert Server

alertserver.exe

None

None

Backup Exec Management Service

BackupExecManagementService.exe

50104

TCP

Deduplication engine

Spoold.exe

10082

TCP

Deduplication Manager

Spad.exe

10102

TCP

 

 

For earlier versions:

PORT NUMBER TYPE OF CONNECTION
10000 CONTROL
1025-65535 (Default Dynamic Ports) DATA


Note:  A DYNAMIC PORT is a Port which is not permanently assigned to any specific protocol. They are intended for temporary use.
A minimum of two ports is required per backup job through a firewall.  If backups are run at the same time through the firewall, then more ports will need to be opened.

Note: It is recommended to keep a range of ports opened instead of just one because other applications can engage dynamic ports. Therefore, keep at least 25 ports opened for the remote system, so there is a pool of ports available to all applications needing them. For example:
 
A Control connection is always established bi-directionally on TCP Port 10000 between the media server and remote machine. 

Advertising is done on port 6101 from the remote server to the Backup Exec server.

Data connections for the backup are done on ports within the Dynamic Port Range. 

Recommended PORT consideration for a Firewall/TCP Filtered environment.:

When performing remote backups through a firewall, select a specific range under Network & Firewall defaults dialog box in the Backup Exec console.  Open the same range on your  Firewall/PORT
The Dynamic or Private Ports are those from 1025 through 65535

  • For Deduplication Storage option, the deduplication option will require the following UDP and TCP ports.
 

10082

The Deduplication Engine ( spoold ). Open this port between the hosts that deduplicate data.

10085

The deduplication database ( postgres ).

10102

The Deduplication Manager ( spad ).

 Firewall Settings for the Remote Administrator (running on Windows 2008 R2)

To detect and manage the Backup Exec services for a remote Backup Exec server running Windows 2012 R2 from the Remote Administrator running on a Windows 2008 R2 computer, enable the following firewall inbound rules on the remote Backup Exec server:

- Remote Service Management (RPC-EPMAP)
- Windows Management Instrumentation (WMI-In)

 

 

References

UMI : V-370-59792-00041

Was this content helpful?